The fexecve function could be implemented entirely in libc,
via execve(2) on a file name of the form "/proc/self/fd/<N>".
Any security concerns around fexecve() also apply to exec of
/proc/self/fd/<N>.
I gave a try to this approach. There is an unexpected issue:
The descriptor is probably already "closed on exec" before the syscall
tries to use it.
I believe that we should not "fix" that without a proper design
of how all the parts will work together.
Some questions that I would like to see answered are: Should it
be possible to exec a fd only if a special flag was used in the
open(2) call? Should the file's executability be checked at open
time or at exec time, or both, or does it depend on open flags or
on what happened to the fd in between open and exec? Should the
record of the fact that the fd may be eligible for exec be erased
when the fd is passed from one process to another? Always or only
sometimes? How can fds obtained from procfs be made to follow the
rules?
--apb (Alan Barrett)
